Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32376

Fix ES indexing error when adding a live proxy to a collection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2021.0
    • Fix Version/s: 2021.52, 2023.10
    • Component/s: Collections
    • Release Notes Summary:
      Proxy indexing with Elasticsearch/Opensearch is fixed.
    • Backlog priority:
      650
    • Sprint:
      nxplatform #109, nxplatform #110
    • Story Points:
      3

      Description

      This case happens when the user adding the live proxy to the collection does not have Read permission on the live document.

      Steps to reproduce:

      1. log in as Administrator
      2. create a user "jack" who belongs to the "members" group
      3. create a File document "foo" in the personal workspace
      4. create a workspace "myworkspace" under /default-domain/workspaces
      5. use the Document.CreateLiveProxy operation to create a live proxy
        curl -X POST 'http://localhost:8080/nuxeo/site/automation/Document.CreateLiveProxy' -H 'Nuxeo-Transaction-Timeout: 3' -H 'X-NXproperties: *' -H 'X-NXRepository: default' -H 'X-NXVoidOperation: false' -H 'content-type: application/json' -d '{"params":{"Destination
         
        Path":"/default-domain/workspaces/myworkspace"},"input":"/default-domain/UserWorkspaces/Administrator/foo","context":{}}' -u Administrator:<PASSWORD> 
      6. log in a jack
      7. navigate to the live proxy "foo" in /default-domain/workspaces/myworkspace
      8. click on the button to add the document to a collection
      9. observe that the document is added to a collection
      10. at the same time in the logs an error is produced and related to the ES indexing
      ERROR [EventServiceImpl] Exception during elasticSearchInlineListener sync listener execution (after 2ms), continuing to run other listeners
      org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'jack'
      	at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:272) ~[nuxeo-core-2021.50.12.jar:?]
      	at org.nuxeo.ecm.core.api.AbstractSession.getDocument(AbstractSession.java:1029) ~[nuxeo-core-2021.50.12.jar:?]
      	at org.nuxeo.elasticsearch.commands.IndexingCommandsStacker.stackCommand(IndexingCommandsStacker.java:155) ~[nuxeo-elasticsearch-core-2021.49.2.jar:?]
      	at org.nuxeo.elasticsearch.commands.IndexingCommandsStacker.stackCommand(IndexingCommandsStacker.java:106) ~[nuxeo-elasticsearch-core-2021.49.2.jar:?]
      	at org.nuxeo.elasticsearch.commands.IndexingCommandsStacker.stackCommand(IndexingCommandsStacker.java:93) ~[nuxeo-elasticsearch-core-2021.49.2.jar:?]
      	at org.nuxeo.elasticsearch.listener.ElasticSearchInlineListener.handleEvent(ElasticSearchInlineListener.java:110) ~[nuxeo-elasticsearch-core-2021.49.2.jar:?]
      	at org.nuxeo.ecm.core.event.impl.EventServiceImpl.fireEvent(EventServiceImpl.java:280) ~[nuxeo-core-event-2021.45.8.jar:?]
      	at org.nuxeo.ecm.core.api.AbstractSession.notifyEvent(AbstractSession.java:318) ~[nuxeo-core-2021.50.12.jar:?]
      	at org.nuxeo.ecm.core.api.AbstractSession.saveDocument(AbstractSession.java:1737) ~[nuxeo-core-2021.50.12.jar:?]
      	at org.nuxeo.ecm.collections.core.CollectionManagerImpl$1.run(CollectionManagerImpl.java:103) ~[nuxeo-platform-collections-core-2021.34.5.jar:?]
      	at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:123) ~[nuxeo-core-api-2021.50.12.jar:?]
      	at org.nuxeo.ecm.collections.core.CollectionManagerImpl.addToCollection(CollectionManagerImpl.java:107) ~[nuxeo-platform-collections-core-2021.34.5.jar:?]
      	at org.nuxeo.ecm.automation.core.operations.collections.AddToCollectionOperation.run(AddToCollectionOperation.java:62) ~[nuxeo-automation-features-2021.50.12.jar:?]
      

      Expected behavior: the live proxy is added to the collection and no error happens

      Possible cause: The bug may be related to the fact that the adapted document used in the unrestricted session block in CollectionManagerImpl#addToCollection was fetched with the user's core session, not the unrestricted session.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: